Posts Tagged ‘2FA’

iOS 11 introduced multiple changes to its security model. Some of these changes are highly welcome, while we aren’t exactly fond of some others. In this quick reference guide, we tried to summarize all the changes introduced by iOS 11 in the security department.

Compared to iOS 10 and earlier versions of the system, iOS 11 introduced the following security changes:

What are iCloud authentication tokens? How they are better than good old passwords? Do they ever expire and when? Where to get them? Is there anything else I should know about tokens? This publication opens a new series on token-based authentication.

A Brief History of iCloud Extraction

When we started working with Apple iCloud more than 5 years ago to allow users download their backups, we only supported the most straightforward authentication path via login and password. Since you had to supply an Apple ID and password anyway, many people wondered what the big deal with our software was. If it required a password anyway, could you just do the same by some standard means?

The thing is there is no “standard” means. All you can do with an iCloud backup without additional software is restoring a new Apple device from it; from there, you’re on your own. Also, you can only restore over Wi-Fi, and the process is extremely slow. It takes several hours to finish, and the iPhone you’re restoring will consume a lot more traffic than just the backup (it’ll also download and install app binaries from the App Store, which can be significantly larger than the backup itself).

We loved what Apple used to do about security. During the past years, the company managed to build a complete, multi-layer system to secure its hardware and software ecosystem and protect its customers against common threats. Granted, the system was not without its flaws (most notably, the obligatory use of a trusted phone number – think SS7 vulnerability – for the purpose of two-factor authentication), but overall it was still the most secure mobile ecosystem on the market.

Not anymore. The release of iOS 11, which we praised in the past for the new S.O.S. mode and the requirement to enter a passcode in order to establish trust with a new computer, also made a number of other changes under the hood that we have recently discovered. Each and every one of these changes was aimed at making the user’s life easier (as in “more convenience”), and each came with a small trade off in security. Combined together, these seemingly small changes made devastating synergy, effectively stripping each and every protection layer off the previously secure system. Today, only one thing is protecting your data, your iOS device and all other Apple devices you have registered on your Apple account.

The passcode. This is all that’s left of iOS security in iOS 11. If the attacker has your iPhone and your passcode is compromised, you lose your data; your passwords to third-party online accounts; your Apple ID password (and obviously the second authentication factor is not a problem). Finally, you lose access to all other Apple devices that are registered with your Apple ID; they can be wiped or locked remotely. All that, and more, just because of one passcode and stripped-down security in iOS 11.

Who am I to tell you to use two-factor authentication on all accounts that support it? This recommendation coming from someone whose business is supplying law enforcement with tools helping them do their job might be taken with a grain of salt by an average consumer. Yet we still strongly believe that, however good a password you have to encrypt your local documents or NAS drives, any remotely popular online service absolutely requires an additional authentication factor.

We covered the risks related to passwords more than once. There is no lack of horror stories floating on the Internet, ranging from leaking private photos to suddenly losing access to all data and devices registered on a certain account. Today, smartphones store excessive amounts of information. If any of that data is synced with a cloud, the data will be shared with something other than just your device.

So what is that “other” thing that you need to secure access to your account? It might be something you have in addition to something you know. Something that cannot be easily stolen or accessed remotely. This is exactly what two-factor authentication is for.

All three major mobile companies, Apple, Google and Microsoft, offer very different implementations of two-factor authentication. Speaking Google, you have several convenient options: SMS (which is not really secure, and Google knows it), the recently added Google Prompt, the classic Google Authenticator app, printable backup codes, FIDO keys and a few more. (Spoiler: if you are on a different side and need to extract the data as opposed to protecting it, we have an app for that).

What about Apple? There are a few things you should definitely know about Apple’s implementation. The problem with Apple is that Apple accounts protected with two-factor authentication can be actually less secure at some points. Surprised? Keep reading.

Two-factor authentication is essential to secure one’s access to online accounts. We studied multiple implementations of two-factor authentication including those offered by Apple, Google and Microsoft. While Google’s implementation offers the largest number of options, we feel that Apple has the most balanced implementation. The closed ecosystem and the resulting deep integration with the core OS makes it easy for Apple to control exactly how it works and on which devices.

Suppressing the Prompt

Since Apple introduced Two-Factor Authentication (as a replacement of the older and much less secure Two-Step Verification), Apple customers are alerted immediately of someone’s attempt to access their Apple account. A 2FA prompt is pushed instantly and concurrently to all devices the user has in their Apple account once someone attempts to log in. This has always been a hassle for forensic experts trying to perform investigations without alerting the suspect, as merely entering a login and password and seeing a 2FA prompt would mean it’s already too late, as the suspect has been alerted with a prompt.

Or, better to say, it used to be an issue. Just not anymore! Elcomsoft Phone Breaker 8.1, our newest release, now carries out an additional check (which wasn’t exactly easy to make since there is no official API and obviously no documentation), allowing the tool to detect whether or not Two-Factor Authentication is enabled on a given Apple account without triggering a 2FA prompt. The expert will now have the choice of whether to proceed (and potentially alert the suspect) or stop right there.

Google has started its journey on convincing people to move away from SMS-based verification, and start receiving push messages via the Google Prompt instead of using six-digit codes. Why does Google want us away from SMS, and why using Google Prompt instead? Let’s try to find out.

SMS Are Insecure, Aren’t They?

In late July 2016, the US National Institute of Standards and Technology’s (NIST) released an updated set of guidelines that deprecated SMS as a way to deliver two factor authentication because of their many insecurities. A year later, NIST took it back, no longer recommending to “deprecate” SMS usage. Are we, or are we not at risk if we choose to have our two-factor authentication delivered over the (arguably) insecure SMS channel?

In the US, Factory Reset Protection (FRP) is a mandatory part of each mobile ecosystem. The use of factory reset protection in mobile devices helped tame smartphone theft by discouraging criminals and dramatically reducing resale value of stolen devices. Compared to other mobile ecosystems, Apple’s implementation of factory reset protection has always been considered exemplary. A combination of a locked bootloader, secure boot chain and obligatory online activation of every iPhone makes iCloud lock one exemplary implementation of factory reset protection.

All one needs to do is enable the Find My Phone option in iCloud settings. In fact, this option is enabled by default once you set up your new iPhone. After that, even if you lose your iPhone and someone else attempts to reset it to factory defaults, the device will be still locked to your iCloud account. Unlocking the device (removing iCloud lock) requires access to your Apple ID, password, and secondary authentication factor if you have Two-Factor Authentication enabled. Sounds pretty secure so far?

Apple is about to launch its next-generation iOS in just a few days. Researching developer betas, we discovered that iOS 11 implements a number of new security measures. The purpose of these measures is better protecting the privacy of Apple customers and once again increasing security of device data. While some measures (such as the new S.O.S. sequence) are widely advertised, some other security improvements went unnoticed by the public. Let us have a look at the changes and any forensic implications they have.

Establishing Trust with a PC Now Requires a Passcode

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

As you may know, we have recently updated Elcomsoft Cloud Explorer, bumping the version number from 1.30 to 1.31. A very minor update? A bunch of unnamed bug fixes and performance improvements? Not really. Under the hood, the new release has major changes that will greatly affect usage experience. What exactly has changed and why, and what are the forensic implications of these changes? Bear with us to find out.

Beginning with Windows 8.1 and Windows Phone 8.1, Microsoft started unifying its mobile and desktop operating systems. No wonder the two versions of Microsoft’s latest OS, Windows 10, share the same approach to two-factor authentication.

Microsoft employs a somewhat unique approach to two-factor authentication. Even if the user does not want to use two-factor authentication and does not set up any secondary authentication methods, in some circumstances Microsoft would still prompt to confirm account login. Just like Google, the company would verify unusual sign-in activities occurring from a new device in another country. However, it’s not just that. Microsoft would also try to verify Microsoft Account activities once the user attempts to restore a new phone (Windows Phone 8.1 or Windows 10 Mobile) from OneDrive backup. Interestingly, Microsoft would do exactly the same verification if one sets up an account on a new PC (desktop, laptop or tablet) and attempts to restore from OneDrive backup.